AI Threat Alert
ATLAS Landscape
AML.T0011.003
Malicious Link
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File. There are many ways an adversary can leverage malicious links to gain access to a victim system via an AI system. For example, an AI Agent that is configured to not validate website origin headers will accept connections from any website, allowing adversaries the ability to get around previously inaccessible network.
42 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| HIGH | CVE-2021-39160 | nbgitpuller: RCE via OS command injection in git URLs | 8.8 | |
| HIGH | CVE-2026-25750 | langsmith: security flaw enables exploitation | langsmith | 8.1 |
| HIGH | CVE-2024-7806 | Open-WebUI: CSRF enables RCE via pipeline code injection | open-webui | 8.0 |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| HIGH | CVE-2026-44721 | open-webui: XSS in model descriptions steals session tokens | open-webui | 7.3 |
| MEDIUM | CVE-2024-7035 | Open WebUI: CSRF wipes RAG DB and AI memories via GET | open-webui | 6.9 |
| MEDIUM | CVE-2024-7044 | Open WebUI: Stored XSS via file upload, session hijack | open-webui | 6.8 |
| MEDIUM | CVE-2024-6581 | Lollms: SVG upload XSS enables session hijack and RCE | lollms | 6.5 |
| MEDIUM | CVE-2026-26320 | OpenClaw: UI deception enables arbitrary command execution | openclaw | 6.5 |
| MEDIUM | CVE-2024-37146 | Flowise: reflected XSS enables credential theft | flowise | 6.1 |
| MEDIUM | CVE-2025-25296 | Label Studio: reflected XSS via label_config param | label-studio | 6.1 |
| MEDIUM | CVE-2021-28796 | Qiita::Markdown: XSS in transformer components | 6.1 | |
| MEDIUM | CVE-2024-4940 | Gradio: open redirect enables phishing against ML users | gradio | 6.1 |
| MEDIUM | CVE-2023-6568 | MLflow: reflected XSS via Content-Type header injection | mlflow | 6.1 |
| MEDIUM | CVE-2023-27494 | Streamlit: reflected XSS enables session hijacking | streamlit | 6.1 |
| MEDIUM | CVE-2024-37145 | Flowise: reflected XSS enables file read chain via chatflow | flowise | 6.1 |
| MEDIUM | CVE-2024-36423 | Flowise: reflected XSS in chatflow API enables session hijack | flowise | 6.1 |
| MEDIUM | CVE-2024-36422 | Flowise: reflected XSS enables session hijack and file read | flowise | 6.1 |
| MEDIUM | CVE-2024-8021 | Gradio: open redirect exposes AI demo users to phishing | gradio | 6.1 |
| MEDIUM | GHSA-564p-rx2q-4c8v | BentoML: open redirect exposes ML teams to phishing | bentoml | 6.1 |
| MEDIUM | CVE-2025-49592 | n8n: open redirect enables phishing via login flow | n8n | 5.4 |
| MEDIUM | GHSA-364x-8g5j-x2pr | n8n: stored XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | CVE-2025-58177 | n8n: stored XSS in LangChain chat trigger (public) | n8n | 5.4 |
| MEDIUM | CVE-2026-25640 | pydantic-ai: Path Traversal enables file access | pydantic-ai-slim | 5.4 |
| MEDIUM | CVE-2026-40864 | JupyterHub: CSRF bypass on spawn and share endpoints | jupyterhub | 5.4 |
| MEDIUM | CVE-2026-44568 | open-webui: XSS in pending overlay enables session hijack | open-webui | 4.8 |
| MEDIUM | CVE-2026-28415 | gradio: Info Disclosure leaks sensitive data | gradio | 4.7 |
| MEDIUM | CVE-2026-33720 | n8n: OAuth state forgery hijacks user credentials | n8n | 4.2 |
| MEDIUM | GHSA-w673-8fjw-457c | n8n: stored XSS enables phishing via Form Node | n8n | 4.1 |
| LOW | CVE-2025-3777 | Transformers: URL validation bypass exposes image pipeline | transformers | 3.5 |
| LOW | CVE-2025-59842 | JupyterLab: missing noopener enables reverse tabnabbing | — | |
| LOW | CVE-2025-50736 | pdf2zh: security flaw enables exploitation | — | |
| MEDIUM | CVE-2026-21883 | — | ||
| MEDIUM | CVE-2026-23528 | — | ||
| CRITICAL | CVE-2025-62593 | ray: Code Injection enables RCE | ray | — |
| MEDIUM | CVE-2025-61669 | jupyter-server: Open redirect enables credential phishing | jupyter-server | — |
| UNKNOWN | CVE-2026-42235 | n8n: stored XSS via MCP OAuth steals agent sessions | n8n | — |
| UNKNOWN | CVE-2026-42230 | n8n: MCP OAuth open redirect enables phishing | n8n | — |
| HIGH | CVE-2025-23205 | nbgrader: Clickjacking exposes formgrader via IFrame | — | |
| MEDIUM | CVE-2026-33709 | JupyterHub: open redirect enables post-login phishing | — | |
| HIGH | CVE-2025-47783 | Label Studio: XSS enables unauthorized actions via CSRF | label-studio | — |